This reverts commit aa1350384a.
The search for certificates is a complex, three-step process,
which filters results in subsequent searches. This filters out
non-relevant certificates when deleting a host or service.
This patch breaks that so deleting one service of a host will
revoke *all* certificates for that host.
Another attempt will be made separately to implement this.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This utilizes the new status option so that we only retrieve
VALID certificates when revoking certificates issued for a
specific host or service.
ae74d348c3 made a special case
in cert_find when searching for hosts and services so that if only
one host/service was searched on do a subject search. It only
works when there is exactly one option requested.
Since we want to restrict to only VALID certificates, pass
the hostname as subject directly when revoking certs when deleting
an entry to limit the number of certificates to consider.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Fix is to display the proper principal in error message
while attempting to delete required principal.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.
Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.
This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.
https://pagure.io/freeipa/issue/8013
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.
Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.
Most controversial would probably be a lack of the authentication
indicator that could be associated with the service. However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.
Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.
check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.
Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.
The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.
https://pagure.io/freeipa/issue/7077
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
MD5 is a grandpa and FIPS does not like it at all.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints. Add our own helper functions to format the
fingerprints as hex (with colons).
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted. Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.
https://fedorahosted.org/freeipa/ticket/6171
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliaseshttps://fedorahosted.org/freeipa/ticket/1365https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.
https://fedorahosted.org/freeipa/ticket/1365
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.
The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.
https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move virtual attributes defined in output params of methods into params of
the related object.
This fixes the virtual attributes being ommited in CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
this is required for replica promotion to work, since the ACI allowing hosts
to add their own services uses this objectclass as target filter.
This partially reverts changes from commit
705f66f749https://fedorahosted.org/freeipa/ticket/5996
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.
https://fedorahosted.org/freeipa/ticket/5797
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the existing remote server API to create service entries instead of a
client API.
This fixes a crash during replica promotion due to unavailable schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
